Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Incorrect Authorization vulnerability in Drupal Material Icons allows Forceful Browsing.This issue affects Material Icons: from 0.0.0 before 2.0.4.
AnalysisAI
An incorrect authorization vulnerability exists in the Drupal Material Icons module that allows attackers to bypass authentication controls and access restricted resources through forceful browsing (CWE-863). The vulnerability affects Material Icons versions 0.0.0 through 2.0.3, enabling unauthenticated or low-privileged users to enumerate and access icon resources that should be restricted. No CVSS score, EPSS data, or known exploits in the wild have been disclosed at this time, but the vulnerability has been formally documented by the Drupal security team with a dedicated security advisory.
Technical ContextAI
The Material Icons module for Drupal (CPE: cpe:2.3:a:drupal:material_icons:*:*:*:*:*:*:*:*) is a Drupal contrib module that provides Material Design icon resources for use in Drupal applications. The root cause is classified under CWE-863 (Incorrect Authorization), indicating that the module fails to properly enforce access control checks on icon resources or endpoints. Rather than implementing proper permission-based access controls or role-based restrictions, the module likely relies on obscurity or missing authorization logic, allowing attackers to bypass authentication via direct URL access (forceful browsing). This is a classic authorization bypass rather than an authentication bypass, meaning authenticated sessions may still access resources they should not, or unauthenticated users can access resources entirely.
RemediationAI
Upgrade the Drupal Material Icons module to version 2.0.4 or later immediately. This patch release directly addresses the authorization bypass vulnerability. Site administrators should apply the update through Drupal's admin interface (Admin > Extend > Update) or via Composer with the command 'composer update drupal/material_icons'. As an interim workaround pending patching, enforce restrictive access controls at the web server or reverse proxy level to limit access to icon endpoints to authenticated users only, and review server logs for suspicious direct requests to icon resources. Refer to the official advisory at https://www.drupal.org/sa-contrib-2026-011 for any additional security guidance from the Drupal maintainers.
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15465